This is a Client-side security exit; thus, to make this work, the mqccred exit programs and configuration for the mqccred exit need to be setup on the MQ client machine/client connection. The mqccred programs must be copied to the MQ client machine, see steps below.

IMPORTANT: You need to ensure you have the correct mqccred exit executables/libraries for you particular platform and correct 32-bit/64-bit per your MQ client application. These are provided with the MQ client samples, under
tools/c/mqccred sub-directory. They should be copied to the MQ client's exits/exits64 sub-directory under the MQ server/client's data sub-directory.

You create a mqccred.ini file with your userid/passwords. There is a runmqccred program to obfuscate the passwords in the file. Then you need to modify the CLNTCONN channel to define the security exit.. This needs to be configured for the Client-side channel definition.

IMPORTANT: You need to ensure that the file permissions on the mqccred.ini file are such that only the user and group have access to the file, the file can NOT be readable by all. If on Windows, you will need to ensure the file does NOT have inherited permissions and only the user and/group has access to the file.

You need to copy the mqccred and mqccred_r exit programs, which are provided as samples with MQ v8 to the /var/mqm/exits subdirectory on the client machine. Make sure to see the IMPORTANT note above..

Example: If the MQ client application is running on a Windows platform, you need to ensure to get a Windows version of the mqccred.dll from the Windows MQ client install, and ensure it is copied to the MQ client's exits/exits64 subdirectory.

If using a CCDT, ensure your client's CCDT tab file is updated to include the correct definition.

As you noted, you need to ensure your client app knows where to get the CCDT file, by the 2 environment variables:

Hi Mike, Can you please let me know if a similar process is available for MQv7.1.X. Working on to implement client side security from IBM WebSphere Application server 8.5.5.2 but for some reason when JAAS J2C Auth alias is configured and applied to QCF, it is not getting applied or the creds are not being passed to MQ Qmanager despite following IBM documentation for required configs to be implemented in Java code. So would like to see if CCDT is an alternative here.

Hi Angel - if you really want to say thanks to Mike for a job well done, you should click the like button on his answer, or even more, reward him with reputation points, by clicking on the "Reward user" link at the end of his answer.

So I think it's correct that channel is blocked because we don't have a channel authentication record for an empty user on that channel. I assumed that the mqccred exit should provide the userid before the channel authentication record is evaluated.

It this also what you should expected? So yes, do we have to make some extra configruration to make this work? Or isn't is possible to use mqccred icm with authentication records.